Abstract
XML is rapidly emerging as a standard for data representation and exchange over the World Wide Web and an increasing amount of sensitive business data is processed in XML format. Therefore, it is critical to have control mechanisms to restrict a user to access only the parts of XML documents that she is authorized to access. In this paper, we propose the first DTD-based access control model that employs graph matching to analyze if an input query is fully acceptable, fully rejectable, or partially acceptable. In this way, there will be no further security overhead for the processing of fully acceptable and rejectable queries. For partially acceptable queries, we propose a graph-matching based authorization model for an optimized rewriting procedure in which a recursive query (query with descendant axis ‘//’) will be rewritten into an equivalent recursive one if possible and into a non-recursive one only if necessary, resulting queries that can fully take advantage of structural join based query optimization techniques. Moreover, we propose an index structure for XML element types to speed up the query rewriting procedure, a facility that is potentially useful for applications with large DTDs. Our performance study results showed that our algorithms armed with rewriting indexes are promising.
Similar content being viewed by others
References
Atay, M., Chebotko, A., Lu, S., & Fotouhi, F. (2007). XML-to-SQL query mapping in the presence of multi-valued schema mappings and recursive XML schemas. In Proceedings of the international conference on database and expert systems applications (DEXA) (pp. 603–616).
Bertino, E., Castano, S., & Ferrari, E. (2001). Securing XML documents with Author-X. IEEE Internet Computing, 5(3), 21–31.
Bertino, E., Castano, S., Ferrari, E., & Mesiti, M. (2002). Protection and administration of XML data sources. Data and Knowledge Engineering, 43(3), 237–260.
Bertino, E., & Ferrari, E. (2002). Secure and selective dissemination of XML documents. ACM Transactions on Information and System Security, 5(3), 290–331.
Bottcher, S., & Steinmetz, R. (2003). A DTD graph based XPath query subsumption test. In Proceedings of the international XML database symposium (pp. 85–99).
Bouganim, L., Ngoc, F. D., & Pucheral, P. (2004). Client-based access control management for XML documents. In Proceedings of the internatonal conference on very large data bases (VLDB) (pp. 84–95).
Byun, C., & Park, S. (2006). An efficient yet secure XML access control enforcement by safe and correct query modification. In Proceedings of the international conference on database and expert systems applications (DEXA) (pp. 276–285).
Chang, S., Chebotko, A., Lu, S., & Fotouhi, F. (2007). Graph matching based authorization model for efficient secure XML querying. In Proceedings of the international conference on advanced information networking and applications (AINA), workshops proceedings (pp. 473–478).
Cho, S., Amer-Yahia, S., Lakshmanan, L. V. S., & Srivastava, D. (2002). Optimizing the secure evaluation of twig queries. In Proceedings of the internatonal conference on very large data bases (VLDB) (pp. 490–501).
Cuppens, F., Cuppens-Boulahia, N., & Sans, T. (2005). Protection of relationships in XML documents with the XML-BB model. In Proceedings of the international conference on information systems security (ICISS) (pp. 148–163).
Cuppens, F., Cuppens-Boulahia, N., & Sans, T. (2007). XML-BB: A model to handle relationships protection in XML documents. In Proceedings of the international conference on knowledge-based intelligent information and engineering systems (pp. 1107–1114).
Damiani, E., De Capitani di Vimercati, S., Paraboschi, S., & Samarati, P. (2000). Securing XML documents. In Proceedings of the international conference on extending database technology (EDBT) (pp. 121–135).
Damiani, E., di Vimercati, S. D. C., Paraboschi, S., & Samarati, P. (2002). A fine-grained access control system for XML documents. ACM Transactions on Information and System Security, 5(2), 169–202.
Damiani, E., Fansi, M., Gabillon, A., & Marrara, S. (2008). A general approach to securely querying XML. Computer Standards and Interfaces, 30(6), 379–389.
Diao, Y., Altinel, E., Franklin, M. J., Zhang, H., & Fischer, P. (2003). Path sharing and predicate evaluation for high-performance XML filtering. ACM Transactions on Database Systems, 28(4), 467–516.
Duong, M., & Zhang, Y. (2008). An integrated access control for securely querying and updating XML data. In Proceedings of the Australasian database conference (ADC) (pp. 75–83).
Fan, W., Chan, C.-Y., & Garofalakis, M. (2004). Secure XML querying with security views. In Proceedings of the SIGMOD international conference on management of data (pp. 587–598).
Finance, B., Medjdoub, S., & Pucheral, P. (2005). The case for access control on XML relationships. In Proceedings of the international conference on information and knowledge management (CIKM) (pp. 107–114).
Gabillon, A. (2005). A formal access control model for XML databases. In Proceedings of the international workshop on secure data management (SDM) (pp. 86–103).
Gabillon, A., & Bruno, E. (2001). Regulating access to XML documents. In Proceedings of the annual working conference on database and application security (pp. 299–314).
Hastings, S., Ribeiro, M., Langella, S., Oster, S., Çatalyürek, Ü. V., Pan, T., et al. (2005). XML database support for distributed execution of data-intensive scientific workflows. SIGMOD Record, 34(3), 50–55.
Ko, H.-K., Kim, M.-J., & Lee, S. (2007). On the efficiency of secure XML broadcasting. Information Sciences, 177(24), 5505–5521.
Kocatürk, M. M., & Gündem, T. I. (2008). A fine-grained access control system combining MAC and RBACK models for XML. Informatica, Lith. Acad. Sci., 19(4), 517–534.
Kudo, M., & Hada, S. (2000). XML document security based on provisional authorization. In Proceedings of the ACM conference on computer and communications security (pp. 87–96).
Kundu, A., & Bertino, E. (2008). A new model for secure dissemination of XML content. IEEE Transactions on Systems, Man, and Cybernetics, Part C, 38(3), 292–301.
Kuper, G. M., Massacci, F., & Rassadko, N. (2005). Generalized XML security views. In Proceedings of the symposium on access control models and technologies (SACMAT) (pp. 77–84).
Lee, J.-G., & Whang, K.-Y. (2006). Secure query processing against encrypted XML data using query-aware decryption. Information Sciences, 176(13), 1928–1947.
Luo, B., Lee, D., Lee, W.-C., & Liu, P. (2004). QFilter: Fine-grained run-time XML access control via NFA-based query rewriting. In Proceedings of the ACM international conference on information and knowledge management (CIKM) (pp. 543–552).
Miklau, G., & Suciu, D. (2003). Controlling access to published data using cryptography. In Proceedings of the internatonal conference on very large data bases (VLDB) (pp. 898–909).
Mohan, S., Sengupta, A., & Wu, Y. (2005). Access control for XML: A dynamic query rewriting approach. In Proceedings of the International Conference on Information and knowledge management (CIKM) (pp. 251–252).
Mohan, S., Sengupta, A., & Wu, Y. (2007). A rewrite based approach for enforcing access constraints for XML. In Proceedings of the international conference on knowledge-based intelligent information and engineering systems (pp. 1081–1089).
Moreau, L., Zhao, Y., Foster, I. T., Vöckler, J.-S., & Wilde, M. (2005). XDTM: The XML data type and mapping for specifying datasets. In Proceedings of the European grid conference (EGC) (pp. 495–505).
Murata, M., Tozawa, A., Kudo, M., & Hada, S. (2003). XML access control using static analysis. In Proceedings of the ACM conference on computer and communications security (pp. 73–84).
Qi, N., Kudo, M., Myllymaki, J., & Pirahesh, H. (2005). A function-based access control model for XML databases. In Proceedings of the ACM international conference on information and knowledge management (CIKM) (pp. 115–122).
Sasaki, T., Fukushima, T., Park, D., & Toyama, M. (2008). Fine-grained access control in hybrid relational-XML database. In Proceedings of the international conference on digital information management (ICDIM) (pp. 599–604).
Schmidt, A., Waas, F., Kersten, M. L., Carey, M. J., Manolescu, I., & Busse, R. (2002). XMark: A benchmark for XML data management. In Proceedings of the internatonal conference on very large data bases (VLDB) (pp. 974–985).
Stoica, A., & Farkas, C. (2002). Secure XML vies. In Proceedings of the IFIP WG11.3 working conference on database and application security.
W3C (2004). XML schema part 0: Primer (2nd ed.). http://www.w3.org/XML/Schema. Accessed October 2004.
W3C (2006a). Extensible markup language (XML) 1.0 (4th ed.). http://www.w3.org/TR/REC-xml/. Accessed August 2006.
W3C (2006b). XML path language (XPath) 2.0. http://www.w3.org/TR/xpath20/. Accessed November 2006.
W3C (2007). XQuery 1.0: An XML query language. http://www.w3.org/TR/xquery/. Accessed January 2007.
Wang, J., & Osborn, S. L. (2004). A role-based approach to access control for XML databases. In Proceedings of the ACM symposium on access control models and technologies (SACMAT) (pp. 70–77).
X-Hive (2008). http://www.x-hive.com.
Yu, T., Srivastava, D., Lakshmanan, L. V. S., & Jagadish, H. V. (2002). Compressed accessibility map: Efficient access control for XML. In Proceedings of the internatonal conference on very large data bases (VLDB) (pp. 478–489).
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Chebotko, A., Chang, S., Lu, S. et al. Secure XML querying based on authorization graphs. Inf Syst Front 14, 617–632 (2012). https://doi.org/10.1007/s10796-010-9289-2
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10796-010-9289-2